blog.BitLet.org

Saturday, September 29, 2007

You can find online the new upload section!Basically it is a web page that lets you generate and directly upload the torrent metafile.

Currently the upload puts the generated metafile on mininova, but you can link the web page with different parameters in order to post the metafile to other servers: soon there will be an option to use the upload with fenopy, for instance.

How to use it

The user should go to http://www.bitlet.org/upload?postUrl=encodedPostUrl&doneUrl=encodedDoneUrlto generate the .torrent metafile, that will be directly posted to the postUrl address and then the user will be asked to go to doneUrl.

After the user clicks the create button and chooses the file or directory, the applet generates the metafile and posts it (to postUrl) directly from the browser.The post is a simple http post with Content-Type: multipart/form-data and it contains a single parameter named torrent with the torrent metafile in binary form, I guess if you're using php you can just access $_FILES['torrent']. The applet expects a text/plain response with the hash of the info dictionary of the posted metafile in ASCII (e.g: d901895bc378d0b6ffcb87a4f9503bf51664d475.)

Then the user will be asked to go to doneUrl with the hash parameter (doneUrl?hash=d901895bc378d0b6ffcb87a4f9503bf51664d475) where the user should complete the file submission.

Should you provide a download with BitLet after the torrent submission, the applet will try to guess the correct path to start seeding the file.

Please ask the user to start seeding the files, after the submission is completed.

Usually I'm quite cryptic when I write, so don't hesitate to contact me if there's something I didn't explain well.

Sunday, September 2, 2007

The point about certificates and signing

If you ever tried to use BitLet, you should have encountered a window that says you that the signature of the applet cannot be verified (see the screenshot below).

Since some users appear to be quite puzzled about what is the exact meaning of that message, we will try to shed some light on this issue.

Let's start from the beginning...In order to protect users from malicious applets, the JVM (Java Virtual Machine) considers the code of applets that are embedded in web pages to be untrusted, and it is executed in a sort of sandbox, which prevents it from executing any action that could (possibly) harm the client system.

This means that, by default, common Java applets are not allowed to perform some tasks, including opening network connections to other servers or to access the filesystem of the client machine on which they are running.

Obviously, any bittorrent client (including BitLet) needs to perform both those operations to be of some use, even without intending to do any harm.

In order to overcome this problem, the applet is digitally signed, i.e. it is signed using a digital certificate that ensures that the applet comes from the certificate holder.

This brings us back to the first line of this post. You are seeing that annoying message because the certificate used to sign BitLet is not issued by a trusted Certificate Authority. Actually, it was generated on a common development box. Why?

Because code signing certificates cost. And they cost a lot of money, too.

If you know any CA that issues that kind of certificates without charging outrageously high prices, don't hesitate to let us know or drop us a line in the comments.